SYM_JSTS_0164 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description
Assigning user-controlled input directly to $window.location.href in Angular can allow attackers to redirect users to malicious websites. This makes it possible for attackers to exploit your application's navigation logic.
Impact
If exploited, attackers could trick users into visiting phishing or malicious sites, potentially stealing sensitive information or credentials. This can damage user trust, facilitate social engineering attacks, and expose your organization to legal and reputational risks.